802.1X MDA Packet Format Question

Unanswered Question
Mar 4th, 2008
User Badges:

When a phone is on the voice vlan packet destined for it should have a 802.1q tag with a VLAN ID of the voice vlan.

Does the EAP packet (for the phone) have an 802.1q vlan header when using 802.1X MDA? What about re-authentication packets?

The RFC says VLAN tagging is not supported but it was not written with MDA in mind.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ebreniz Mon, 03/10/2008 - 13:55
User Badges:
  • Silver, 250 points or more

You can add MAC address on ACS for MAB with asterix *. ---> This immediately allows you to get the IP-phones added to the

voice-VLAN. guess its not possible, that a "2-VLAN-trunk" between the ATA186 and the switch is getting build up. Exactly for all those devices MDA has been developed.


jafrazie Mon, 03/10/2008 - 14:01
User Badges:
  • Cisco Employee,

EAPOL frames are not tagged. It wouldn't matter what vlan a device thinks it should be on. If the switch has not authenticated it, it wouldn't know it's a phone (yet) anyway.

EAPOL is sent to the specific MAC address of the device for ports enabled for MDA. This includes re-auth frames.


This Discussion